The Windrush generation scandal currently engulfing Theresa May’s government has caused consternation on many fronts, but also serves as a useful reminder to organisations of the importance of record keeping and record maintenance. With the implementation date for the General Data Protection Regulation nearly upon us (25th May), these issues have never been more pertinent for many organisations.
As you may know, one of the issues preventing identification of Britons who arrived in this country as part of the Windrush generation is that landing cards confirming date of entry into the UK were destroyed sometime after 2009. The exact details of which administration (Labour or Conservative) is responsible and which government agency (the Home Office or UK Border Agency) took the decision are much debated in political quarters.
Regardless, the stark fact remains that the destruction of this data could have devastating consequences for thousands of Windrush generation Britons struggling to prove their status in the UK. The rationale given for the decision to destroy records is that it was in compliance with the Data Protection Act’s principle that data should be kept no longer than is necessary, a principle replicated in the GDPR.
Most organisations will already be well on their way to compliance with the GDPR. Those working on compliance will be aware of requirements in respect of retention periods and destruction of data. To put it simply, there are no set retention periods for data under the GDPR (or, indeed, under the current DPA). It is up to each organisation to determine appropriate periods in light of the reasons for its processing activities and the lawful basis on which data is processed.
So, what if, like the UK Border Agency, you hold historic data that no one’s given much thought to over the years? It could be hidden in dusty cupboards or archived in a damp basement. It may be in paper format, or perhaps hiding in the deep recesses of your old computers or myriad shared drive folders. Faced with the magnitude of decisions and actions to be taken to ensure GDPR compliance, some organisations may be thinking that it is easier to just get rid of historic data and start afresh.
If you’re looking at the calendar counting down to the 25th May with increasing dread and are concerned that your data cleanse activities will not be done in time, take a moment to reassess. Rather than take action which cannot be undone, it may be better to earmark resources to tackle action in respect of historic data at a later date. Instead, you may want to concentrate your resources on ensuring that your organisation has come to a clear decision about appropriate retention periods and that this is documented in your register of processing activity before the GDPR implementation date. As those affected by the Windrush scandal know only too well, deletion or destruction is a nuclear option; data cannot be recovered once it is gone.
The Information Commissioner herself has described the 25th May as a milestone in the journey to compliance, not a deadline. While organisations shouldn’t look on this as a signal that non-compliance is acceptable, it should give comfort that a considered, focussed plan which may take time to implement is likely to be more acceptable than taking knee jerk actions which could place the organisation at greater risk in the long run.
If you’re struggling with GDPR planning, did you know that our website contains a multitude of helpful documents and guides to assist you? And, of course, our Employment Law and HR Consultancy teams will always be available to answer any employment law related GDPR queries you may have.